Title: DDoSniffer: Detecting DDoS attack at the source agents

Authors: Vicky Laurens, Alexandre Miege, Abdulmotaleb El Saddik, Pulak Dhar

Addresses: Multimedia Communications Research Laboratory, University of Ottawa, 161 Louis Pasteur – Colonel By Hall, Ottawa, Ontario K1N 6N5, Canada. ' Multimedia Communications Research Laboratory, University of Ottawa, 161 Louis Pasteur – Colonel By Hall, Ottawa, Ontario K1N 6N5, Canada. ' Multimedia Communications Research Laboratory, University of Ottawa, SITE, 800 King Edward Ave., Ottawa, Ontario, K1N 6N5, Canada. ' Cistech Limited, 210 Colonnade Road, Unit 3, Nepean, ON K2E 7L5, Canada

Abstract: Distributed Denial of Service (DDoS) attacks are an important and challenging security threat. Despite the existing defence mechanisms, attackers manage to build large sets of impersonated hosts. Our approach consists in detecting DDoS directly on these hosts. We classify ongoing attacks as connection attacks or bandwidth attacks. The former are defined as attacks that generate connections with four packets or fewer; the latter as attacks that create connections with traffic ratios larger than usual. We developed a software tool, DDoSniffer, which enforces those principles. We show that it is capable of detecting a broad range of attacks within seconds.

Keywords: DoS; denial of service; DDoS attacks; distributed denial of service; DDoSniffer; attack detection; security; network protection; SYN flooding.

DOI: 10.1504/IJAMC.2009.027014

International Journal of Advanced Media and Communication, 2009 Vol.3 No.3, pp.290 - 311

Published online: 13 Jul 2009 *

Full-text access for editors Full-text access for subscribers Purchase this article Comment on this article